Cyber Security Headlines – Detailed Summary

Episode Title: NordPass popular passwords, Healthcare extortion sentence, China breached telecoms
Host: Steve Prentice, CISO Series
Release Date: November 15, 2024

1. China Threat Actors Breach U.S. Telecoms

In the opening segment, Steve Prentice highlights a significant national security concern involving Chinese threat actors. According to the FBI and Cybersecurity and Infrastructure Security Agency (CISA), a large-scale cyber espionage campaign spearheaded by China-linked groups targeted U.S. telecom providers in October 2024.

"China threat actors breached U.S. broadband providers to spy on U.S. government officials," [00:00] Prentice reports.

The compromised telecom networks were exploited to steal call records and access private communications, predominantly affecting government and political figures. The threat group identified is Salt Typhoon, distinct from the similarly named Vault Typhoon. This breach is under intense investigation due to its implications for national security.

"This attack has been attributed to Salt Typhoon, a group that is different from Vault Typhoon. The breach has been described as a major national security risk," [00:00] Prentice adds.

As this story is still developing, Prentice emphasizes the ongoing nature of the investigation and its potential impact on U.S. national security.

2. NordPass Reveals Disappointing Password Trends

Steve Prentice transitions to discussing the latest report from NordPass, a prominent password manager and sister company of NordVPN. For the sixth consecutive year, NordPass has published its list of the 200 most common passwords, unveiling concerning trends in password security.

"People are really bad at choosing hard to crack passwords," [00:03] Prentice comments on the findings.

The top spot remains dominated by variations of "123456," followed by "QWERTY" and single-word passwords like "password" and "secret." These weak passwords can be cracked in less than a second, posing significant security risks.

NordPass derived its list from a massive 2.5 terabyte database encompassing personal and professional passwords sourced globally, including the Dark Web. The analysis revealed that many passwords were obtained through malware or data breaches, with leaked email addresses aiding in distinguishing between personal and business usage.

"There really hasn't been any improvement over these past six years," [00:03] Prentice notes the stagnation in password security practices.

Prentice directs listeners to the show notes for a link to the full NordPass report, underscoring the importance of strong password practices.

3. US Healthcare Extortionist Receives 10-Year Prison Sentence

The episode covers the sentencing of Robert Purbeck, a 45-year-old man from Idaho, who was convicted for a significant healthcare extortion scheme.

"Robert Purbeck has now been sentenced to 10 years in prison for hacking at least 19 organizations in the United States," [00:06] Prentice outlines the case.

Purbeck executed his scheme by purchasing unauthorized access to computer servers of a medical clinic in Georgia via a darknet marketplace in 2017. This breach allowed him to steal personal data of over 43,000 individuals, including sensitive information like names, addresses, and Social Security numbers. His activities expanded the following year to include access to a Georgia-based police department server, compromising data of an additional 14,000 people.

Utilizing the stolen information, Purbeck engaged in extortion by threatening to release the compromised data unless ransoms were paid. His actions affected 19 organizations and over 132,000 individuals.

"He has now been sentenced to 10 years in prison along with three years of supervised release and the obligation to pay his victims over $1 million in restitution," [00:06] Prentice concludes the segment.

This case highlights the severe legal repercussions for cybercriminals involved in data theft and extortion.

4. Microsoft Power Pages Misconfiguration Leads to Massive Data Exposure

Steve Prentice brings attention to a critical security lapse in Microsoft Power Pages, a tool designed to streamline website creation and data integration for businesses. According to a blog post from AppOmny, improper management of security controls has resulted in millions of records being left accessible to the public internet.

The misconfiguration involved the role-based access control (RBAC) model used by Power Pages. Assigning excessive permissions to roles such as anonymous users (unauthenticated visitors) and authenticated users (logged-in visitors) inadvertently exposed sensitive data. This oversight has potentially exposed employee information and internal files to unauthorized access.

Prentice underscores the importance of meticulous security configuration to prevent such widespread data leaks, urging organizations to review and enforce stringent access controls within their systems.

5. Strela Stealer Malware Resurgence in Europe

The discussion moves to the resurgence of Strela Stealer malware, particularly in Spain, Germany, and Ukraine. The group behind these attacks, identified as Hive0145, employs phishing emails masquerading as legitimate invoice notifications to infect targets.

"Hive0145 is the tool's sole operator," [00:09] Prentice cites IBM X-Force researchers.

Initially, Hive0145 utilized fabricated accounts to send fake invoices and receipts. However, they have recently shifted tactics by leveraging stolen emails from real entities across various sectors, including financial technology, manufacturing, media, and e-commerce. This evolution in their approach enhances the sophistication and effectiveness of their phishing campaigns, making detection and prevention more challenging.

Prentice highlights the adaptability of cybercriminals and the need for continuous vigilance against evolving malware threats.

6. Hackers Employ Macros Extended File Attributes to Conceal Malicious Code

Innovative malware delivery techniques are also covered, with a focus on the RustyATR Trojan. Hackers are exploiting Extended Attributes (EAs) in macros files to hide malicious code, thereby evading traditional detection methods.

"Threat actors hide malicious code in custom file metadata and also use decoy PDF documents to help evade detection," [00:10] Prentice explains.

The process involves embedding shell scripts within the EA name "test," which are not directly visible through standard file browsing tools. Additionally, these attacks often deploy decoy PDF files or prompt error dialogues to distract and mislead security systems and users.

This method underscores the increasing complexity of malware concealment strategies, necessitating advanced security measures to identify and neutralize such threats.

7. Malware Delivered via Postal Mail in Switzerland

In a novel delivery method, Swiss Federal Office for Cybersecurity has issued warnings about malware being disseminated through traditional postal mail. Letters purportedly from Meteo Swiss, the country's meteorological agency, contain printed QR codes that link to malicious downloads.

"These postal letters... are being used to spread malware," [00:10] Prentice reports.

Recipients who scan the QR codes are directed to download The Stealer malware, specifically Coper and Octo2 variants, which are designed to extract login details from over 383 mobile applications, including e-banking services. While sending malware via postal mail is uncommon due to the logistical overhead of postage, this tactic exemplifies the lengths to which cybercriminals will go to infiltrate systems.

Prentice emphasizes the importance of skepticism towards unsolicited postal communications and the need for robust security practices to mitigate such unconventional attack vectors.

Upcoming Episode: Week in Review with Brett Conlon

Steve Prentice concludes the episode by announcing the upcoming "Week in Review" show featuring Brett Conlon, CISO at American Century Investments. Scheduled for later the same day at 3:30 PM Eastern, the show will offer expert commentary on the week's cybersecurity news. Listeners are encouraged to participate and share their comments via the CISO Series YouTube live channel by registering on the events page.

"Make sure to join us later today at 3:30pm Eastern for our Week in Review show," [00:12] Prentice invites listeners.

Conclusion

This episode of Cyber Security Headlines provides a comprehensive overview of critical developments in the information security landscape, ranging from state-sponsored espionage to evolving cybercriminal tactics. By highlighting recent breaches, password security issues, and innovative malware delivery methods, host Steve Prentice offers valuable insights for cybersecurity professionals and enthusiasts alike. For more in-depth stories, listeners are encouraged to visit CISOseries.com.